Forgot your password?
typodupeerror

Hackers Serving Rootkits with Bagles 150

Posted by CowboyNeal
from the worm-in-the-apple dept.
Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are."
This discussion has been archived. No new comments can be posted.

Hackers Serving Rootkits with Bagles

Comments Filter:
  • Am I wrong (Score:5, Insightful)

    by 3.5 stripes (578410) on Friday March 31, 2006 @05:12AM (#15032717)
    Or is it just me who's been reading about rootkits and keyloggers now becoming standard payloads in worms/virus/web exploits?

    In the end, they're just another piece of cut and paste code for script kiddies.
    • Seen it before/ will see it again.
      Back when I was serious about security (and when it was easier/new) I had test systems running and I gathered all of the code/information/executables I could find and ran them against my systems setup for just this task. The most ineteresting aspect was how easy it was to embed my own payload in script kiddie fasion (knowing shit wasnt required( however I learned the x86 bootstrap via this fasion)), and then how vulnerablethe target systems were. Yep, basically DOS/windows.
    • hmmm...root kits ey?
      seems like the most pointless thing to put in malware, who runs untrusted executables they recieved in an email as an administrative user?
      Some people have learn. It's been ten years of popular email use and ten years of technical people telling users not to run untrusted executables.
      It's like telling someone "don't leave that random hitchhiker alone in your house while you go out to work".
      I am still amazed that people don't get it. There is still definitly something wrong in the world of
      • ...And its been nine years of technical people telling users not to use Outlook to read email. Even users who know better can't stop a trojan horse when the email is formatted properly. Just imagine if MS had arrived not invented ActiveScripting. Ugh, I cringe at the thought that we turned a text-based medium into something so harmful.
        • Don't worry, text based mailers, esp. that one called Pine have quite a nice collection of exploits, so the adding of activescript may have helped making it even worse, but doing away with it doesn't even come close to solving sloppy and buggy code.

      • "I am still amazed that people don't get it."


        I realize this isn't the sole reason people don't get it but I believe it would make it a noticeable difference: When will the technical people quit rescuing their friends and family concerning the data on these rooted boxes? I would be willing to bet a considerable amount that if these some people lost all their precious photos, music and e-mails that not only would they take a more proactive stance on security, they may also be more vigil about back-ups too.

        D
        • If they keep getting hit with spyware, eliminate MSIE as an option. This means switching to Mac OS X, Linux, BSD, or other. There are more secure options out there you know. :)

          • "...There are more secure options out there you know..."

            I think you missed my point entirely. So long as these people have that someone to bail them out they have no incentive to listen to advice; be it advised of anti-virus/spy/adware or running alternative software like a different OS even.
    • Re:Am I wrong (Score:3, Informative)

      by jayloden (806185)
      No, it's definitely not just you. I work with [removing] IM-based viruses as a hobby project, and there has been a clear shift from simple executable file viruses to full rootkits. Along the way I've seen everything from loading with the shell or userinit to winlogon to bogus kernel drivers.

      It's my personal (and professional) opinion that this is likely to become the norm. I give it another year or two before the majority of malware is all rootkit-based. It's far too easy to incorporate rootkit technology,
  • by totalbasscase (907682) on Friday March 31, 2006 @05:14AM (#15032721)
    Next time on Slashdot: "Bagle.GE authors sued by Sony for rootkit copyright infringement!" Honestly though, maybe we should all just start carrying around rootkits on our USB keys. Plug it into your aunt's computer, and she'll never forget your birthday again (even if she wanted to).
    • of course you have to execute a file on the drive manually, since USB drives dont subscribe t to the autoplay mentality :p

      Your joking has revealed an interesting point though - would it be possible to patent rootkit technology now, or some really restrictive DRM, so that when corporations/the government get around to developing software that wants to restrict our every move, it's already been done/patended? :D I'm not aware of all the intricacies of copyright law and prior art etc, and I'm aware if a gov
      • Funny, anytime I plug my USB key into my computer, WinXP asks me if I want to do something with it.

        I'm sure if you dropped an autoplay.inf file on the root of the drive, Windows could be tricked into executing it.
        • there's quite a difference between asking you if you want to view the folders on the drive, open in media player etc, and automatically running code without your permission.
          • The difference can be removed by the magical file autorun.inf in the root of the drive:
            [autorun]
            ICON=youre_fscked.ico
            open=rootkit.exe
            • And just to disprove myself... autorun doesn't work on USB storage media. Bummer.
            • Okay, I've actually done some research to backup the comment I saw here, that USB drives do not use autorun. Try reading http://www.experts-exchange.com/Storage/Q_20953875 .html [experts-exchange.com] .
      • Yes they do... just create an autorun.inf

        U3 drives even automatically run appplications that are stored on the drive when you execute it (and the code to do that is just unprotected XML files) - it would be perfectly possible to make a virus that replicated via U3.. just that nobody uses it yet so the virus writers haven't bothered.
        • when we had a discussion on USB security a while ago I was under the impression that autorun didnt work on USB keys. How is a program run 'automatically' if you have to 'execute it' first? And is U3 a type of drive, or a type of application that can be run? :p
  • The evolving virus (Score:5, Interesting)

    by ndogg (158021) <[moc.liamg] [ta] [nrohr.eht]> on Friday March 31, 2006 @05:19AM (#15032733) Homepage Journal
    I keep waiting for a virus based on genetic algorithms. I'm certain that it's only a matter of time.
    • by arivanov (12034)
      The older DAV and co viruses from the late 90-es were polymorphic and changed their code from time to time.

      In fact as far as underlying technology the current viruses have regressed back to simple non-polymorphic code. Not entirely surprising considering that they are written in a high level language nowdays. If you look at the recent crop there is anything including Delphi and VB used to write them with some EXE compression at the end applied to get the size down to a reasonable value.
      • The trick to malware writing in DOS is to hide from DOS. We do that by placing malware in some unclaimed memory and rapidly change it to keep malware scanners from pattern matching the malware.

        Windows changed that. Malware needs to be recognized by Windows, in some form or else it's not going to get it's messages and it's not going to be able to access the wonderful WinAPI, which will give it more power and make it smaller. There's no point in a spy changing their clothing to disguise themselves if th
    • by january (906774) on Friday March 31, 2006 @05:43AM (#15032780)
      Agree. This will be a breakthrough, and if anything is a mystery -- then the question, why it hasn't already happened.

      Evolving computer programs -- not simple genetic algorithms, but programs that actually "thrive" on CPU time and memory, and compete for these resources -- have been already used to experimentally investigate evolution. Note that there is a serious difference between a genetic algorithm and a truly evolving program. In the former case, the fitness function is precisely defined by the programmer. In the latter, the fitness is just what it is in living organisms -- ability to pass on the genes, or code.

      Check out the web page -- http://www.msu.edu/~lenski/ [msu.edu] -- of Richard Lenski, experimental evolutionist (bacteria in a test tube + computer), you will find a nice article on in silicio evolution on his web page. The guy has 4 Nature and 2 Science publications only on the topic of digital evolution.

      January

      j.
      • by aug24 (38229) on Friday March 31, 2006 @06:09AM (#15032825) Homepage
        The thing about genetic algorithms to date is that they have only been permitted to evolve within parameters. Evolving better weightings for poker playing bots for example. This is a highly successful technique, analogous to the way the human brain sets itself up - highly structured programming (physical brain) with variable parameters (experience).

        If you allow the code itself to evolve (typically achieved with Lisp or similar cos of the convenient tree structure of the code) then the likelihood is that you can write a better program than will evolve anyway, because so many of the evolved programs are utterly useless. This, of course, is the argument for Intelligent Design, except that the planet really does have unlimited time, and there aren't anti-virus companies constantly trying to sterilise the planet (as far as we know! ;-)

        Finally, most genetic algorithms require 'sex' type recombination to (randomly and hopefully) whittle away the useless code that has accumulated. This might be a little hard to implement in a cloaking virus - the one thing they don't want is to have any kind of signal that they are there!

        All in all, I'll be surprised to see a truly genetic algorithm virus ever. The closest we might see are self tuning ones - eg ones that spot the user is using the machine and back off their spamming activities so that they aren't obvious.

        J.
        • "except that the planet really does have unlimited time"
          Huh? I'm not even pro-ID, but this nonsense.
          (BTW: I'm not neither ID nor a Darwin zealot. I'd rather have a clue and don't pretend I'm so cool because I know the origin of life. Nobody really knows , *NOBODY*, period)
        • The success of evolution in creating us has nothing to do with time.

          The reason evolution works for us and not for computer programs is that the language of our DNA is specifically geared to be useful for evolution. From the protein to the cell to the body, the coding system is designed so that new variations usually produce viable offspring. The fact that someone with an entire extra chromosome (Downs syndrome) can exist is a testament to the robustness of this code.

          This isn't surprising. Naturally ev
        • by zerocool^ (112121) on Friday March 31, 2006 @09:11AM (#15033476) Homepage Journal

          If you're talking polymorphic characteristics (in viruses or animals), the phrase you're looking for is Heterozygous Advantage [wikipedia.org]. Yes, I do live with a woman who is going to vet school and who has a degree in animal science.

          In computer terms, it's going to be hard for random code variations to produce a useful new code segment on their own, for exactly the reasons you describe - there needs to be "sex", or a merging of two codebases, in order to produce surrogate code.

          In terms of animals, however, if I may step on my pro-evolution soapbox... This is what all those people at the Institute for Creation Research and Answers in Genesis never talk about. The natural tendancy in animals (at least, and probably in other kingdoms) is for the offspring of a non-homogonous pairing to be *better* than either of the parents. No joke, this is the way it works. Not all the time, but more often than not.

          For example, my wife is pretty firmly against the homogonization of the beef industry onto black angus for meat and holstein for milk. The reason being, if you breed nothing but black angus to black angus, you're going to get black angus, which is good, but it will never get better than its parents. If you're breeding black angus and charolais, however, the genetic tendancy is that the offspring most of the time will posess the best characteristics of both parents (breeding and birthing ease with black angus, better meat with charolais).

          Anyway, I have to go fix a dead UPS.

          ~Will
          • Mixing breeds of the same species and getting better meat or milk is not an example of evolution any more than breeding two Olympic gold medalists of different races to spawn a super athlete. I don't see why a creationist would debate that. About the only people who would have a problem with your Angus-Charolais mix would be the CKK (Cow Klux Klan).

            • Evolution happens via small steps. But, then, I don't pretend to understand how it works; she's the biologist in the family, I just pick up on stuff as she talks.

              ~W
          • by aug24 (38229)
            Thanks for that, interesting.

            I'd propose a small correction to what you say: the natural tendency of sexual reproduction is to produce creatures that are either (a)inviable, which typically miscarry or (b) similar or (c) better. This would be analogous to receiving two lots of bad code, one of each, or two lots of good code respectively.

            AIUI a surprising number of the offspring of higher animals 'spontaneously' abort without the parent necessarily even knowing about it.

            Cheers,
            Justin.
          • Anyway, I have to go fix a dead UPS.

            You should just overnight FedEx a new one. Will Dunn. Goats. Fucker.
        • > All in all, I'll be surprised to see a truly genetic algorithm virus ever.

          I think with the continual increase in CPU power and connectivity, it's just a matter of time before they become feasible.

          > The closest we might see are self tuning ones - eg ones that spot the user is using the machine and back off their spamming activities so that they aren't obvious.

          Probably the first generation will use mutations to change their AV signatures.
          (And that will result in genuine survival of the fittest!)
      • Most probably it have not happened yet because script kiddies are not good programmers, so they have no idea on how to do it. Isn't it true that script kiddies use some sort of virus generators to make up their viruses? if so, then it would be easy to spread a virus that is a generator itself.

        • Most probably it have not happened yet because script kiddies are not good programmers, so they have no idea on how to do it.

          So that's what, security through immaturity? (heh). Somebody writes the scripts the kiddies use. And some of those kiddies grow up.

      • It's not a mystery at all. GA's are not well suited to this problem. See my reply to the GP.
      • programs that actually "thrive" on CPU time and memory, and compete for these resources
        Aah, you mean Windows, Office, Internet Explorer, Outlook...

        (it's anti-Microsoft, dammit, feed me karma! :P )
      • Agree. This will be a breakthrough, and if anything is a mystery -- then the question, why it hasn't already happened.

        Maybe because:

        a) Hackers are usually interested in money, breaking into computers and not esoteric stuff like genetic algorithms. If they were, they'd be researchers at the MIT or something else, but not hackers.

        b) Script kiddies don't have a f***ing clue of what a genetic algorithm is.

        I'm certain that it requires an evil mastermind specialized in AI to develop such a virus. And when the day
    • I'd like to disagree, but with the growing promenance of organized crime, highly profitable spam, and so on, I can't. I'm mildly surprised that one of the bigger organizations hasn't gone out and found someone who can do what they need and has few scruples about doing it when the money is right.

      I can only assume that it's not worth doing - ie systems to crack are in such plentiful supply already that there's just no need to bother with real effort.
    • by Illserve (56215) on Friday March 31, 2006 @07:03AM (#15032921)
      It's hard to see why genetic algorithms are an inherently good way to design computer virii. The fitness landscape is not well suited to GA'S, it's too rugged. GA's need a particular structure of problem to function well, one in which every change produces an incremental benefit or impairment.

      Changing which registry key a worm modifies, or what files a virus affects will cause wildly varrying effects, 99.9999% of which will cause either no discernable effect, or blue screen the system. This is not a good setup for the GA to figure out what works best.

      So despite the similarity in name and function with biological viruses, computer virii (and worms, trojans etc) are not really evolvable, but need to be engineered.

      • >Changing which registry key a worm modifies, or what files a virus affects will
        >cause wildly varrying effects, 99.9999% of which will cause either no discernable
        >effect, or blue screen the system. This is not a good setup for the GA to figure
        >out what works best.
        >
        >So despite the similarity in name and function with biological viruses, computer
        >virii (and worms, trojans etc) are not really evolvable, but need to be
        >engineered.

        Interestingly enough, this is also true of meatspace.

        Evolu
        • Nice of you to hijack the thread for a bit of religious dogma.

          You underestimate the elegance of evolution and hence misunderstand it (which probably contributes to your need to attribute our existence to the divine). Yes individual changes produce very little obvious benefit, but the offspring is almost always still viable. This is very important because it means that evolution can (and does) make LOTS of changes within in each generation through sexual reproduction. In so doing it blazes through para
        • It's hard to conceptualize the transition, for example, from ground-based to airborne creatures caused by slow incremental changes - so many things need to occur, many of which are actually detrimental to the creature if it cannot actually fly...


          Hey, Rocky! Want to see me pull an example [wikipedia.org] out of a hat?

          • >>It's hard to conceptualize the transition, for example, from ground-based to >>airborne creatures caused by slow incremental changes - so many things need to >>occur, many of which are actually detrimental to the creature if it cannot >>actually fly...

            >Hey, Rocky! Want to see me pull an example out of a hat? (link to Flying Squirrel article on Wikipedia)

            Flying is a loooooooong way from gliding. No matter what changes you made to Rocky, he could never achieve self-powered climbin
            • Flying is a loooooooong way from gliding. No matter what changes you made to Rocky, he could never achieve self-powered climbing flight.

              I think you aren't giving Rocky enough credit. All it would take is for some of the squirrels out there who are born with extra-large gliding-flaps (or whatever they are called) to start moving them just a little bit during flight, to give them a slightly longer glide, and presto! These squirrels can now reach more trees than their non-enhanced neighbors, and thus are mor

        • The difference is that a mutation to most pieces of (functional) code will make the code stop working - for example, a change to a variable name, or register or operation will almost certainly drastically impair the program's function, or produce something undesirable. In a gene, a change like this may produce a non-functional protein, or it may produce a protein that folds very slightly differently, and hence allow for evolution. It is the acceptance of small, incremental change that allows non-destructiv
      • by Anonymous Coward
        The secret is to design a 'language' to write viruses in that makes it almost impossible to write a non-runnable program.

        With biological organisms, many genes are copies of existing genes that have been modified over time. One of the fundamental mutation operations is the duplication of a region of dna, which can contain one or more genes. Since having two copies of a gene is not (usually) harmful, this avoids having to evolve new genes from scratch.

        So if the virus mutates the registry key that's hidden,
    • Well, its not that viruses have gotten dumber, its that virus scanners have gotten smarter. Why take the time to code a polymorphic program that can be detected in memory anyway? 100% of it would have to be polymorphic.
    • by Anonymous Coward
      viruses are already a form of genetic algorithm. A slowly evolving (well kind of slow at least) GA. think about it, all the components are there. The mechanism is the script kiddie. The environment is our computers. The virus codes are all mostly the same (same genes), new ones are created through cut and paste (crossover) and occasionally a new radically more effective one comes out and quickly the entire population moves to this newer, more effective (better fitness) code.

      we're all part of a giant ex
    • it's only a matter of time before CSI has a computer virus DNA scanner/fingerprinter.

    • It's already happened, but not through the intentional use of genetic algorithms. Back in the late 1980's, there was a virus on MSDos that was dirt simple: it would attach itself to two other .COM files provided they weren't already infected and, if the date was Friday the 13th, it would delete files off your system. Now, this might seem like a good design, from a black hat's point of view, but it isn't optimal from the viruses point of view.

      Enter natural selection.

      As with any repeated copying process,

  • Dupe! (Score:1, Funny)

    by zaguar (881743)
    It's a Windows security alert! I call dupe! After all the WMF flaws, this latest IE exploit [slashdot.org] and Vista delays, what else is there on /.?
  • by True ChAoS (157946) <gray@@@chaosink...co...uk> on Friday March 31, 2006 @05:26AM (#15032752) Homepage
    This has been written about before on the F-Secure security blog [f-secure.com]. There's also a nice pic of what all the different parts of bagel look like [f-secure.com] and how they interact.
  • by january (906774) on Friday March 31, 2006 @05:30AM (#15032762)
    It definitely isn't, trust me. I'm a ...biologist.

    I mean the picture, of course: http://images.slashdot.org/topics/topicworms.gif [slashdot.org] -- it is an insect larva, not a worm. To be more specific -- probably a butterfly caterpillar.

    You want to see a worm? Here -> http://www.desc.med.vu.nl/NL-taxi/ICE/C_elegans1.j pg [med.vu.nl] is a nice picture of C.elegans, The Model Worm (r).

    January
  • by jtcedinburgh (626412) on Friday March 31, 2006 @05:39AM (#15032776)
    Mark me OffTopic if you will (it's Friday and I'm feeling brave, so I'll take that risk), but when I first read this, I read it as:

    "Hackers Serving Rootkits with Bagels"

    ...and I started to think how cool a hacker café would be... then I got to wondering what else you might be able to order at a hacker café:

    Trojan Muffins (secret filling might bring surprise!)
    DDoS Donuts (very tasty, but eat too many and they gang up on you)
    L33t Latté (quintuple espresso with a single shot of milk)
    Keylogger Cakes (be careful, they're watching)

    ...and so on (I shall spare you the rest).

    Ah well, as they say in these parts 'ah'll get me coat'...
    • Trojan Muffins (secret filling might bring surprise!)
      DDoS Donuts (very tasty, but eat too many and they gang up on you)
      L33t Latté (quintuple espresso with a single shot of milk)
      Keylogger Cakes (be careful, they're watching)


      I think ThinkGeek just found their newest product line.
    • Perhaps one might be interested in a glass of "SSHut the hell up!"

      Just kidding - lol
    • Re:Mmmmm... bagels! (Score:2, Interesting)

      by thefranktate (964964)
      You should read the book "Golf is a Four Letter Word". It starts out with the author describing his addiction to golf, how it ruined his life, and how he was finally able to give it up. Then starts the sad part - though he has given up the game, his albatross is the need to write poems, limericks, and other wordplays all about golf. It's really, truly sad. And I think you could empathize with the guy :)
    • OMGWTFBBQ Ribs... Pwnage burger...
  • SysInternals' free program RootkitRevealer [sysinternals.com] is the best way I know to reveal the presence of rootkits.

    In general, any program SysInternals provides is the best in its field, I've found.

    Try the just updated (March 7, 2006) version of Autoruns [sysinternals.com] to find nasty stuff running under Windows.

    --
    Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?
  • by ScrewTivo (458228) on Friday March 31, 2006 @06:42AM (#15032892) Homepage
    I got so tired of explaining it over and over. Ultimate Spyware/Virus Blocker [blogspot.com]. If you think there is something I need to add or remove then please leave a comment.

    My friend is opening up a coffee shop that will have an ap. I will make some copies of Ubuntu for the customers to use.

    Now where do I find a dentist for the rootkit I received when I didn't take my own advice :)

    • Well, if you like having an AdSense account, you might want to stop encouraging readers to "click on the ads a few times".
    • The live Edubuntu CD is out. By default the network connections are disabled.
      After booting, select the interface you want to use, on my laptop I have the choice of eter0 wireless, ether1 wired, or ether2 modem. Nice. After choosing static or or another setup, choose Activate. Boom, online with no problems.

      Everything works, including sound.

      The best part is the live CD has an install icon. If they like it, the live CD is also the install CD. Nice touch to help the migration.

      The Edubuntu distro has lots of
  • No matter how nasty worms get a user still has to execute them for his/her PC to become infected -- and even then with a decent setup there's still the possibility/probability of a correctly-setup anti-virus prog checking the message between the user's click(s) and the execution of the malware.

    So, malware makers are not so much "ahead of the game" as "still reliant on the problem that exists between the keyboard and the chair."
    • No matter how nasty worms get a user still has to execute them for his/her PC to become infected

      No. That's the whole point of a worm - it spreads itself without need for user intervention. Typically they exploit holes in server software, using buffer overruns and similar to cause it to execute a copy of their code. They then infect the machine and look for other hosts to spread to.

      Bagle and similar email-borne "worms" generally are not true worms, in that they generally do require user intervention. While t
    • I don't know where this myth comes from, but you only need to look at Microsoft's own security bulletins to see that this just isn't the case. Unchecked buffers resulting in buffer overflows mean that a cracker can install and run any code he likes, without you ever knowing about it.

      For example [eweek.com]

      Here is an excerpt:

      Websense researchers found that the rigged site exploits the unpatched createTextRange vulnerability to download and install a keystroke logger without any user action.

      Worse than that, the

    • No matter how nasty worms get a user still has to execute them for his/her PC to become infected

      DING! WRONG ANSWER
      Seriously, how the hell did this get modded "Insightful"??? Obviously a low /. UID is no guarantee of technical acumen.

      Please educate yourself; http://www.webopedia.com/DidYouKnow/Internet/2004/ virus.asp [webopedia.com]

  • by digitaldc (879047) * on Friday March 31, 2006 @07:24AM (#15032955)
    Your O/S locks with Bagels, sir.
  • by popo (107611)
    Mac users typically know very little about windows or linux, and yet they still claim they use the "best" operating system?

    The Mac equation is a minimal set of software options and guaranteed interoperability. Its idiot proof. That's what people like about it.

    Its also IMHO what sucks about it.

    I have a mac, I have a pc and I have an okay linux box.

    The mac is for sure the sexiest, but its option poor. Mac users feel free to flame away, but if you can't back it up with a logical comparison, then you've only
  • Search Results for: Bagle.GE produced zero results
  • by antdude (79039) on Friday March 31, 2006 @09:30AM (#15033617) Homepage Journal
    ... who doesn't want free yummy bagles to eat? Oh, you mean the computer types... [grin]
  • assuming that programmers use logic as I do in my programming, why make these things? if you're out to prove something why not make a useful program that gets noticed merely because of how great it is as it helps people do something, rather than something harmful and invasive.

    no matter how hard I try to figure out the reasoning behind creating such devices of invasion, the more confused I get. The only thing that it sounds like is that since they can't physically bully people around they figure they'll do i
    • I'd much rather be known for creating something terribly awesome, not awesomely terrible.


      I, for one, would rather be infamous, than famous.
    • > no matter how hard I try to figure out the reasoning behind creating such devices of invasion, the more confused I get. The only thing that it sounds like is that since they can't physically bully people around they figure they'll do it cyberally(?). If its a point they're trying to prove, besides the fact that they are complete jackasses, then I do believe it has been lost in the translation. I'd much rather be known for creating something terribly awesome, not awesomely terrible.

      Some people enjoy cre
  • by billcopc (196330) <vrillco@yahoo.com> on Friday March 31, 2006 @10:20AM (#15033992) Homepage
    Years.. no, decades ago, everyone was scared shitless of boot sector viruses. Today it's rootkits. This isn't rocket science, it's about friggin time these things hit the mainstream. It's obvious that today's software relies on many layers of abstraction provided by the OS. Infiltrate one of those layers and you've fooled the entire system. It's no different than the men with wires going to their ears saying "You didn't see anything, move along", except your software's too dumb to see that the man is lying. There is no ultimate solution to this, software is software and no matter how well you try to secure the OS, all it takes is a little patch to disable all your security. The closest thing to a secure OS would be some sort of read-only boot device, and I really mean READ-ONLY, not just "mount -o ro". Boot off the DVD-Rom.. even then, just one glitch in the programming could open up the whole system to in-memory patching.

    What we CAN do to relieve this plague is take away the motivation behind viruses. They don't exist just for fun, they serve a purpose.. DDoS is a lucrative racket. If we can somehow make an infected PC less valuable to the attacker, to the point where it's not even worth infecting, the virus threat will slow down to a crawl. Why don't we have more Linux viruses ? Because it's a high-risk, low-potential target. If Microsoft could accomplish the same level of security with the average Windows PC, virus authors would have to go out and get real friggin jobs for once.
  • Is what you eat. Bagle is l33t.
  • by damg (906401)
    "being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word hacker to describe crackers; this irritates real hackers no end." Great esr quote from http://www.catb.org/~esr/faqs/hacker-howto.html [catb.org].
    • Usage by the vast majority of native speakers of a language is what defines words, not one pathetic wanker with a "jargon file". Get over it.
  • I think the only way to get ahead of these rootkits is to make the OS its own rootkit. This is, caging. Executing the apps in virtual winxp environments and let them modify their own registry entries.

    I think I saw a virtualization software out there, but I don't remember well.

Maybe Computer Science should be in the College of Theology. -- R. S. Barton

Working...